close

Joe Grandja

Joe Grandja

Spring Security Senior Engineer

Toronto, Canada

Joe has been in the Software Industry for over 20 years. He has successfully designed, built and delivered enterprise grade software in the financial services and health sector. He has been using Spring for over 10 years and is very excited to have joined the Spring Security engineering team, in early 2016. Outside of his passion for crafty software, Joe continues to travel the world with his family, snowboarding the most challenging mountains, exploring nature on foot and doing his best to enjoy what life brings.
Blog Posts by Joe Grandja

Spring Authorization Server 0.0.3 available now

On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 0.0.3.

You can download it from repo.spring.io and Maven Central by using the module coordinates:

compile 'org.springframework.security.experimental:spring-security-oauth2-authorization-server:0.0.3'

For additional details on this new project, see the initial announcement and project page.

The main features delivered in this release are:

  • OAuth 2.0 Refresh Token Grant — RFC 6749

  • OAuth 2.0 Token Revocation — RFC 7009

Read more...

Spring Security 5.5.0-M1 Released

On behalf of the community, I’m pleased to announce the release of Spring Security 5.5.0-M1! You can find the complete details in the release notes and the highlights below:

OAuth 2.0

gh-5502 - OAuth2Token interface for AbstractOAuth2Token
gh-9070 - Use LobHandler in JdbcOAuth2AuthorizedClientService
gh-8765 - Provide a R2dbc implementation of ReactiveOuath2AuthorizedClientService
gh-7160 - JwtDecoders and ReactiveJwtDecoders should determine algorithm from JWK Set Endpoint

SAML

gh-9177 - SAML 2.0 Asserting Party Metadata resolution should read SigningMethod elements
gh-9131 - OpenSamlAuthenticationProvider should decrypt attributes
gh-9028 - File-based Configuration for Asserting Party Metadata
Read more...

Spring Authorization Server 0.0.2 available now

On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 0.0.2.

You can download it from repo.spring.io and Maven Central by using the module coordinates:

compile 'org.springframework.security.experimental:spring-security-oauth2-authorization-server:0.0.2'

For additional details on this new project, see the initial announcement and project page.

The main features delivered in this release are:

  • Proof Key for Code Exchange by OAuth Public Clients (PKCE) — RFC 7636

  • User Consent page for OAuth 2.0 Authorization Code Grant — RFC 6749

Read more...

Get the very first bits of Spring Authorization Server 0.0.1 !

On behalf of the team and everyone who has contributed, we are very excited to deliver the very first bits of Spring Authorization Server in the 0.0.1 release!

You can download it from repo.spring.io and Maven Central by using the module coordinates:

compile 'org.springframework.security.experimental:spring-security-oauth2-authorization-server:0.0.1'

For additional details on this new project, see the initial announcement and project page.

The main features delivered in this initial release are:

  • OAuth 2.0 Authorization Code Grant — RFC 6749

  • OAuth 2.0 Client Credentials Grant — RFC 6749

  • JSON Web Token (JWT) — RFC 7519

  • JSON Web Signature (JWS) — RFC 7515

  • JSON Web Key (JWK) — RFC 7517

  • Key Management for providing key(s) when signing a JWT (JWS)

Read more...

End-of-Life for Spring Security OAuth

In January 2018, we announced that the Spring Security OAuth (legacy) project is officially in maintenance mode. Later in November of 2019, we provided an update in the Spring Security OAuth 2.0 Roadmap, stating that the 2.3.x line will reach end-of-life in March 2020.

The currently supported version branches are 2.4.x and 2.5.x, with the 2.5.0 release scheduled for May 2020, which will be the final minor release.

To that end, the plan is to provide patch and security fixes for the 2.4.x and 2.5.x line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life. The same end-of-life timeline applies to the Spring Boot 2 auto-configuration project.

Read more...